Drawing inspiration from bureaucracy and information security literature, we develop the theory of security bureaucracy—an evolutionary framework that describes how organizations arrive at their information-securing approaches. Within this framework, we describe three general bureaucratic archetypes (i.e., Security Prototype, Security Structure, and Security Superstructure) that emerge from the interplay between control and expertise. We also expound on the phenomenon of security bureaucracy and delineate how organizations can transition from coercive “iron cages” to enabling “iron shields” in information securing. We also use our security establish-enforce-enculturate (3E) evolutionary framework to inform a proposed variance model of security bureaucracy. Our efforts offer significant insights and implications for organizational information security research and practice.

中文翻译：

---

信息保护中的官僚机构：从铁笼到铁盾的转变


从官僚机构和信息安全文献中汲取灵感，我们开发了安全官僚机构理论——一个描述组织如何实现信息安全方法的演化框架。在这个框架内，我们描述了从控制和专业知识之间的相互作用中出现的三种一般官僚原型（即安全原型、安全结构和安全上层建筑）。我们还阐述了安全官僚主义现象，并描述了组织如何从强制性的“铁笼”转变为在信息安全方面启用“铁盾”。我们还使用我们的安全建立-执行-文化（3E）进化框架来为拟议的安全官僚机构差异模型提供信息。我们的努力为组织信息安全研究和实践提供了重要的见解和影响。